track – Compare results of enumerations against common target organizations

db – Manage the graph databases storing the enumeration results

Each subcommand has its own arguments, for example, the ‘intel’ subcommand.

The intel subcommand can help you discover additional root domain names associated with the organization you are investigating. The data source sections of the configuration file are utilized by this subcommand in order to obtain passive intelligence, such as reverse whois information.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

-active Enable active recon methods

-addr IPs andranges(192.168.1.1-254)separated by commas

-asn ASNs separated by commas(can be used multiple times)

-cidr CIDRs separated by commas(can be used multiple times)

-config Path tothe INI configuration file

-dDomain names separated by commas(can be used multiple times)

-demo Censor output tomake it suitable fordemonstrations

-df Path toafile providing root domain names

-dir Path tothe directory containing the graph database

-ef Path toafile providing data sources toexclude

-exclude Data source names separated by commas tobe excluded

-ifPath toafile providing data sources toinclude

-include Data source names separated by commas tobe included

-ip Show the IP addresses fordiscovered names

-ipv4 Show the IPv4 addresses fordiscovered names

-ipv6 Show the IPv6 addresses fordiscovered names

-list Print the names of all available data sources

-log Path tothe log file where errors will be written

-max-dns-queries Maximum number of concurrent DNS queries

-noresolvrate Disable resolver rate monitoring

-noresolvscore Disable resolver reliability scoring

-oPath tothe text output file

-org Search stringprovided against ASdescription information

-pPorts separated by commas(default:443)

-public-dns Usepublic-dns.info resolvers

-rIP addresses of preferred DNS resolvers(can be used multiple times)

-rf Path toafile providing preferred DNS resolvers

-src Print data sources forthe discovered names

-timeout Number of minutes toexecute the enumeration

-whois All discovered domains are run through reverse whois

It has some visualization capabilities and can also output to other tools and in various formats such as D3.js, GEXF, Graphistry JSON, VisJS and Maltego format.